Intrusion detection and prevention systems constantly monitor communications that flow in the networking environment. They protect and intercept or drop suspicious network traffic, as well as issue an alert to the network administrator. The process of intercepting or dropping suspicious traffic ensures the security of the network.
Networks are vulnerable to malicious attacks or threats, which may take the form of Trojans or Malware that, may sniff and collect user information for unknown future attacks.
Mobile Devices such as phones, smartphones, tablets or any mobile computing platforms can use methods such as Global Positioning System (GPS), Wireless Network Basic Service Set Identity (BSSID)/SSID or Global System for Mobile (GSM) Triangulations or Geo Internet Protocol (IP) Database among other methods to collect data concerning the physical location of a mobile device. A service set identifier (SSID) may be defined as a sequence of characters that uniquely names a wireless local area network (WLAN). An SSID is sometimes referred to as a “network name.” This name allows stations to connect to the desired network when multiple independent networks operate in the same physical area. Each set of wireless devices communicating directly with each other is called a basic service set (BSS).
Statistical anomaly-based detection is one category of intrusion detection: This method of detection baselines performance of average network traffic conditions. After a baseline is created, the system intermittently samples network traffic, using statistical analysis to compare the sample to the set baseline. If the activity is outside the baseline parameters, the intrusion prevention system takes the appropriate action. The particular intrusion in this case monitors users and network behaviors. Clustering is one form of such statistical techniques.
Today there is no solution that can identify a ‘clean zone’ or ‘trust zone’, i.e. a specific geographical location or region, which has not gone through multiple attacks or predefined threshold number of attacks by one or more networks. The types of attack may vary from one location to another and may include for example: drive-by attacks, Drive-by spamming attack, basement attack, man-in-the-middle attack and other types of attacks as known in the art.
Much less application of clustering techniques to a trust zone for drive-by attacks. There is no solution that can show an attack in a specific location because of two main reasons:
1. These types of attacks are not being detected; and
2. The attacks are not reported, especially to enable drawing a threat or an attack related level map i.e. in the prior art there is no correlation between the attack itself and the location of the attack.
For example attacks on an organization or company are generally at the location of the organization itself, such as the company's headquarters. Commonly, the organization includes many branches in various locations e.g. the attacks can be in Branch A located in zone 1, in Branch B located in zone 2 and in Branch C located in zone 3. Furthermore, people are more mobile today, especially with the proliferation of numbers and types of mobile devices, many with expanded computing power, and while traveling they may be unaware of attacks relative to their current geographic location. Moreover, it is common that primary executives, such as the company's CEO or CFO, are being targeted wherever they are. For example at a coffee shop, outside of the company's network location. Additionally, attacks are being targeted to more diverse and more specific locations, for example when an executive is on vacation or the attacker may be attempting industrial spying. Therefore the significance of knowing and identifying ‘danger’ or ‘malicious’ zones is advantageous in order to prevent further attacks at one or more specific locations.